Dynamic configuration in OpenSearch Dashboards

Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can manage common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes descriptions of the options currently covered by dynamic configuration:

  • Disable or enable multi-tenancy: Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk of data loss. If and when an administrator chooses to reenable tenancy, all previously saved objects are preserved and made available. The default is multitenancy_enabled: true.

    This setting does not have an impact on the global tenant, which always remains enabled.

  • Disable or enable private tenant: This option allows administrators to enable and disable private tenants. As with the enable multi-tenancy setting, when private tenants are reenabled all previously saved objects are preserved and made available.

  • Default tenant: This option allows an administrator to choose either a global, private, or custom tenant as the default when users log in. In cases where a user doesn’t have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the opensearch_security.multitenancy.tenants.preferred setting in the opensearch-dashboards.yml file. See Multi-tenancy configuration for more information about this setting.

Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their Dashboards session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in.

The global tenant, however, is a special case. Because this tenant is never disabled, users with the global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user’s session.

Configuring multi-tenancy in OpenSearch Dashboards

To configure multi-tenancy in Dashboards, follow these steps:

  1. Begin by selecting Security in the Dashboards home page menu. Then select Tenancy from the Security menu on the left side of the screen. The Multi-tenancy page is displayed.
  2. By default, the Manage tab is displayed. Select the Configure tab to display the dynamic settings for multi-tenancy.
    • In the Multi-tenancy field, select the Enable tenancy check box to enable multi-tenancy. Clear the check box to disable the feature. The default is true.
    • In the Tenants field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled.
    • In the Default tenant field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users.
  3. After making your preferred changes, select Save changes in the lower right corner of the window. A pop-up window appears listing the configuration items you’ve changed and asks you to review your changes.
  4. Select the check boxes beside the items you want to confirm and then select Apply changes. The changes are implemented dynamically.

Configuring multi-tenancy with the REST API

In addition to using the Dashboards interface, you can manage dynamic configurations using the REST API.

Get tenancy configuration

The GET call retrieves settings for the dynamic configuration:

  1. GET /_plugins/_security/api/tenancy/config

copy

Example response

  1. {
  2. "mulitenancy_enabled": true,
  3. "private_tenant_enabled": true,
  4. "default_tenant": "global tenant"
  5. }

Update tenant configuration

The PUT call updates settings for dynamic configuration:

  1. PUT /_plugins/_security/api/tenancy/config
  2. {
  3. "default_tenant": "custom tenant 1",
  4. "private_tenant_enabled": false,
  5. "mulitenancy_enabled": true
  6. }

copy

Example response

  1. {
  2. "mulitenancy_enabled": true,
  3. "private_tenant_enabled": false,
  4. "default_tenant": "custom tenant 1"
  5. }

Dashboardsinfo API

You can also use the Dashboardsinfo API to retrieve the status of multi-tenancy settings for the user logged in to Dashboards:

  1. GET /_plugins/_security/dashboardsinfo

copy

Example response

  1. {
  2. "user_name" : "admin",
  3. "not_fail_on_forbidden_enabled" : false,
  4. "opensearch_dashboards_mt_enabled" : true,
  5. "opensearch_dashboards_index" : ".kibana",
  6. "opensearch_dashboards_server_user" : "kibanaserver",
  7. "multitenancy_enabled" : true,
  8. "private_tenant_enabled" : true,
  9. "default_tenant" : "Private"
  10. }